RH 8 local root vulnerability

[isabyon]

Originally posted here by VictorKaum
Their response so far:

Hi Victor, thanks for contacting us.
This is a quick note to say that we received your report and that we'll
take a look at it this week. Once we've investigated we'll get back to
you.
Thanks, Mark
-- Mark J Cox / Security Response Team / Red Hat

Did they get back to you?
Absent-minded admins could encounter some funny stuff if not aware of this 'default' problem. Luckily most are probably still using the 7.3 instead of the newest release.
I'm still curious about the reply, please keep us informed.

[detoxsmurf]

At least you gave redhat time to patch the problems. How many security teams out there give the vendor a 20 minute notice before posting the expolit.

[VictorKaum]

Yes, they got a month before made public.
Still no reply... however I'm optimistic about RedHat's goals and work, so I think they sooner or later come with a solution, after all this is not a direct exploitable problem in the true sense of the word (it's only local and in certain cicumstances), so it's a real and important problem but I would say not that urgent to immediatly make a patch for it.

On the other hand... getting root that easy... they should be ashamed.

[KissCool]

Yes, I generally like RedHat. But the last 8.0 seems to have a little bunch of problems (speed, security, bugs...). I'm still under 7.3, but I am frightened to view RedHat becoming contaminated by the M$ effect.
I hope they will not become like this!

KC

[KissCool]

Yes, I generally like RedHat. But the last 8.0 seems to have a little bunch of problems (speed, security, bugs...). I'm still under 7.3, but I am frightened to view RedHat becoming contaminated by the M$ effect.
I hope they will not become like this!

KC

[TheFiend]

Two things from The Fiendish one:

1. Congradulations and a pat on the back to Vic for finding this out and testing it, i like that you found this yourself, thats awesome man, nice!!

2. i want to give my opinion on the redhat bcoming Windows thing. in my opinion i think they are kinda going in the direction, there boughten distro is the most expensive but also, as iv seen before, when you spend that 200 in cash for red hat 8 you can look at the source and change it around if you want, i think theyd be ok if they lowered the price and tried a lil harder on security.

[TheFiend]

Two things from The Fiendish one:

1. Congradulations and a pat on the back to Vic for finding this out and testing it, i like that you found this yourself, thats awesome man, nice!!

2. i want to give my opinion on the redhat bcoming Windows thing. in my opinion i think they are kinda going in the direction, there boughten distro is the most expensive but also, as iv seen before, when you spend that 200 in cash for red hat 8 you can look at the source and change it around if you want, i think theyd be ok if they lowered the price and tried a lil harder on security.

[VictorKaum]

About RedHat becoming like M$. Well the linux community has always considered 'against' M$. But let's face it: who's one of the most richest people on earth? What firm does have the major share in home Os's? What OS does most home users feel comfortable with? So while there are many things we all hate M$ for, they have done in a certain sense a very good job. Therefor if RedHat wants to make a system that is as easy as Windows, as secure and stable as linux, supporting many many hardware and on top of all based on open source, why not?

I mean if we want to set something against all that TCPA stuff and other bad things that perhaps are going to happen, we better make sure there's an easy linux for the big public too. There are just people that doesn't want to compile thier kernel or install stuff and etc... they just want a box that does helps them with their office work, where they can play games on, burn a CDRW, play a sound or a DVD.

So if we want our uber 1337 modded super fast stripped linux machines, no problem. There are just people that are happy with less.

Anyway I hope RedHat comes with a patch

[VictorKaum]

About RedHat becoming like M$. Well the linux community has always considered 'against' M$. But let's face it: who's one of the most richest people on earth? What firm does have the major share in home Os's? What OS does most home users feel comfortable with? So while there are many things we all hate M$ for, they have done in a certain sense a very good job. Therefor if RedHat wants to make a system that is as easy as Windows, as secure and stable as linux, supporting many many hardware and on top of all based on open source, why not?

I mean if we want to set something against all that TCPA stuff and other bad things that perhaps are going to happen, we better make sure there's an easy linux for the big public too. There are just people that doesn't want to compile thier kernel or install stuff and etc... they just want a box that does helps them with their office work, where they can play games on, burn a CDRW, play a sound or a DVD.

So if we want our uber 1337 modded super fast stripped linux machines, no problem. There are just people that are happy with less.

Anyway I hope RedHat comes with a patch

[TheFiend]

i agree with the making Linux easier to use so more people can use it, just in my opinion red hat isnt for me, when i first started Linux i used mandrake, that was very simple, it was mandrake 7.1, right now i use Suse Linux 8.1 wich to me is very easy and also has things for advanced users, and since im german, its kinda nice its made where my ancestors came from also i think red hat is a good distro (not for me, its just not my thing) but for me i just like debian, slackware and Suse more. i didnt mean to sound like a red hat hating machine, its just not for me, but for people that are like you said, that and SuSe and mandrake are perfect, i love Suse, it has great GUI based things, and also i dont know if youv ever used it but also theres an option when you log in (you pick it in the spot where you pick what GUI to use) called xsplash i think? its a CLI but lets you load GUI things and has a nice looking GUI, just its all a command line, and also you can use your mouse, to me thats awesome because people afraid to learn without a GUI (i used to be) can use that or eterm, wich is another nice thing to have, also Suse has awesome hardware support, it found and installed drivers for my ZIP drive, (external) and also everything i had except my scanner. and hasnt had a problem, my last uptime (today) was over 7 days and i had things loaded and using things and i work that machine out. now that may not seem like much to a server or someone who built there PC but this is a computer thats almost 4 years old my first PC) and only has two fans and no hardware mods except ram.

http://www.linux.org is in my opinion a great resource, it has everything from tools to a walk threw of an install.

http://www.linuxiso.org is in my opinion one of the best places to download a distro, they have more than just linux and its great.

but anyway this post is longer than i anticipated so sorry about that but i wanted my opinion in and good luck to you in future hole findings i thought it was neat that you found that in red hat.